aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch65
1 files changed, 65 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch
new file mode 100644
index 0000000000..687eb0af76
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch
@@ -0,0 +1,65 @@
+From ef6298177a8390c01f5084ba89a808015a0b9473 Mon Sep 17 00:00:00 2001
+From: Gerald Squelart <gsquelart@mozilla.com>
+Date: Thu, 22 Oct 2015 10:00:12 +0200
+Subject: [PATCH] Bug 1204580 - Check box ranges for overflow - r=rillian, a=al
+
+---
+ media/libstagefright/binding/Box.cpp | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/media/libstagefright/binding/Box.cpp b/media/libstagefright/binding/Box.cpp
+index 71c79ed..2558be0 100644
+--- a/media/libstagefright/binding/Box.cpp
++++ b/media/libstagefright/binding/Box.cpp
+@@ -40,6 +40,11 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
+ : mContext(aContext), mParent(aParent)
+ {
+ uint8_t header[8];
++
++ if (aOffset > INT64_MAX - sizeof(header)) {
++ return;
++ }
++
+ MediaByteRange headerRange(aOffset, aOffset + sizeof(header));
+ if (mParent && !mParent->mRange.Contains(headerRange)) {
+ return;
+@@ -67,11 +72,14 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
+ uint64_t size = BigEndian::readUint32(header);
+ if (size == 1) {
+ uint8_t bigLength[8];
++ if (aOffset > INT64_MAX - sizeof(header) - sizeof(bigLength)) {
++ return;
++ }
+ MediaByteRange bigLengthRange(headerRange.mEnd,
+ headerRange.mEnd + sizeof(bigLength));
+ if ((mParent && !mParent->mRange.Contains(bigLengthRange)) ||
+ !byteRange->Contains(bigLengthRange) ||
+- !mContext->mSource->CachedReadAt(aOffset, bigLength,
++ !mContext->mSource->CachedReadAt(aOffset + sizeof(header), bigLength,
+ sizeof(bigLength), &bytes) ||
+ bytes != sizeof(bigLength)) {
+ return;
+@@ -82,10 +90,19 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
+ mBodyOffset = headerRange.mEnd;
+ }
+
++ if (size > INT64_MAX) {
++ return;
++ }
++ int64_t end = static_cast<int64_t>(aOffset) + static_cast<int64_t>(size);
++ if (end < static_cast<int64_t>(aOffset)) {
++ // Overflowed.
++ return;
++ }
++
+ mType = BigEndian::readUint32(&header[4]);
+ mChildOffset = mBodyOffset + BoxOffset(mType);
+
+- MediaByteRange boxRange(aOffset, aOffset + size);
++ MediaByteRange boxRange(aOffset, end);
+ if (mChildOffset > boxRange.mEnd ||
+ (mParent && !mParent->mRange.Contains(boxRange)) ||
+ !byteRange->Contains(boxRange)) {
+--
+2.5.0
+
generated by cgit